Access control lists

Archiveopteryx supports fine-grained access control. A mailbox, a
tree of mailboxes, or the entire server can be controlled, and there
are many rights, all of which can be granted or denied individually.

The search terminates in step 4, since we explicitly set a right
for that. Next, Archiveopteryx checks whether the set rights include
r (read) and a few other rights. In this
case r is there, so the attempt to open
/shared/nemesis succeeds. Since none of the other rights are present,
the access is read-only.

k (create mailboxes) is the right to
create new mailboxes as children of this mailbox.

x (delete mailbox) is the right to
delete this mailbox (or children).

t (delete messages) is the right to mark
messages as deleted.

e (expunge) is the right to delete
messages marked using t. (Note that
retention policies override this
right.)

a (admin) is the right to grant/remove
rights to other users (typically using the
IMAP ACL extension).

n (write shared annotation) is the
right to write a world-visible
IMAP annotation on a message.

By default everyone has the l (lookup)
right, and the mailbox owner also has all other rights.

Weaknesses

We only know about one attack against this system, and it's rather
weak:

The l (lookup) right is subject to
timing attacks. If an attacker wants to know which of the mailboxes
/x/1, /x/2, /x/3 and /x/4 exist, it is possible to issue many LIST
commands and analyse the response timings statistically. This attack
only works for logged-in IMAP users, and it cannot be used to ask
which mailboxes exist?, only which mailboxes in
this list exist?.